Story image

Twitter suspects state-sponsored ties to support forum breach

19 Dec 18

One of Twitter’s support forums was hit by a data breach that may have ties to a state-sponsored attack, however users' personal data was exposed.

The support forum is dedicated to account holders who are having issues with their account and need to contact Twitter.

Twitter began working on a fix for the breach on November 15 and was promptly fixed by November 16. The breach allowed the attackers to discover the country code of Twitter users’ phone numbers - if a number was associated with their account.  

Attackers could also find out if users’ accounts had been locked by Twitter. Twitter does this when an account appears to violate the company’s rules or terms of service.

“Importantly, this issue did not expose full phone numbers or any other personal data. We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted,” Twitter states.

The company also says it has been investigating where the attack came from and its background so users are well informed.

“During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors.”

The company says it remains committed to full transparency and it has notified law enforcement about its research. Its biannual Twitter Transparency Report published trends in a number of areas, including platform manipulation, information requests, email privacy, and removal requests.

“No action is required by account holders and we have resolved the issue,” Twitter writes.

The company has also set up a data protection inquiry form for users who have questions or concerns. The form provides a secure form for users to contact Twitter’s data protection officer, Damien Kieran. 

This is not the first time Twitter has been caught up in a data breach – although most of them were its own fault.

In May 2018, a bug exposed Twitter users’ passwords that were stored in plain text in an internal log. The company encouraged all Twitter users to change their passwords.

“Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” CTO Parag Agrawal wrote in May. 

Just four months later, Twitter’s Account Activity API allowed third party developers to accidentally expose user activity data including direct messages and protected tweets. The bug affected less than 1% of Twitter users, however it remained at large for more than a year from May 2017 to September 2018.

Twitter apologises for the latest breach.

“We recognise and appreciate the trust you place in us, and are committed to earning that trust every day. We are sorry this happened.”

Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Office workers frustrated by poor information management systems
82% of workers believe poor information management is damaging their productivity in the workplace.
Jobs 'aplenty' for freelance writers, devs & ecommerce specialists?
Jobs tagged with the keyword ‘writing’ took the top spot as the fastest moving job in 2018.
Updated: Chch crypto-exchange Cryptopia suffers breach
Cryptopia has reportedly experienced a security breach that has taken the entire platform offline – and resulted in ‘significant losses’.
Edtech firm Kami raises $1.5m
New Zealand edtech startup Kami has raised $1.5 million to help take the company to North America and beyond. 
How SMBs can use data to drive business outcomes
With the right technology, companies can capture consumer, sales, and expense data, and use it to evaluate and construct future plans.
Startup launches online marketplace for lending items in AU
Think TradeMe, eBay, Amazon, except instead of buying products, you’re renting spare items from everyday consumers.
Adobe revamps Experience Cloud for retailers
Adobe has revamped its Adobe Experience Cloud to offer customer experience management (CXM) capabilities that draw on AI and machine learning technology.